ffdroider | a222934b1c6c67ebf726df4f5840b3de00f0d6ddfe6cb9f6f6f11e0ae1ea2770

General

Target

2025-04-12_14196d68dd0ba86c495e0ad66097ac3a_amadey_black-basta_elex_luca-stealer_smoke-loader.exe
Size

1.1MB
MD5

14196d68dd0ba86c495e0ad66097ac3a
SHA1

3c90704f1480a9ff18e09d69fedeed0a8f6b80d3
SHA256

a222934b1c6c67ebf726df4f5840b3de00f0d6ddfe6cb9f6f6f11e0ae1ea2770
SHA512

4ca1627d4a171ed5070019a96dc0fcf078a21309b7d1add1c61c7db95282df03bf1835f19513962565672d298dcd71bf602ed8735931bd154467d6c5eebb798b
SSDEEP

24576:rSMR9ShOWpqJ5+CYhJyQt6gfP7ZD+wYUSSUPQ5bzqBDjNrRgjqMvShX:8qgl06yQ5bqjBCjPSZ

Score

10^/10

ffdroider discovery spyware stealer

Malware Config

Extracted

Family

ffdroider

C2

http://101.36.107.74

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Ffdroider family
ffdroider
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4344	1384	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-12_14196d68dd0ba86c495e0ad66097ac3a_amadey_black-basta_elex_luca-stealer_smoke-loader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1384	2025-04-12_14196d68dd0ba86c495e0ad66097ac3a_amadey_black-basta_elex_luca-stealer_smoke-loader.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-12_14196d68dd0ba86c495e0ad66097ac3a_amadey_black-basta_elex_luca-stealer_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-12_14196d68dd0ba86c495e0ad66097ac3a_amadey_black-basta_elex_luca-stealer_smoke-loader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1344
  2⤵
  - Program crash
  PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1384 -ip 1384
1⤵
PID:312

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0c386f32669c43bf39e465963d910981

SHA1
7c88d906954ebdb5b208749721c493f545971bef

SHA256
29dfcf02b6c6695653555d3bc5021f0477f09b929e43eb2b028945d4ef73677a

SHA512
e3d75723132463e51dbf7868e8d5d2c83725fc24c6ea510421afbcc9fc70006821dee3573cc0f6629e5d3376513df3b14accd486c699b0c95ca9d16738c8fada

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
20687df9d1be3687a24371f7c0df63e8

SHA1
3392003020d5885bf6c53cdad7ad739d4e2a2f03

SHA256
384a6aba9fb31f1016620d4ab27b105ac47dd99ece4317fbf5223d08f42036b7

SHA512
1423dadbc67925f42ffd29133e8d40c533f4936d5469ba3247a738cd84fec89b98b291d22321333ef9ca969688a1a36d904a3ef7a9e94a5b69be03d41a886741

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
79163358e656fc99557d68468c9868c4

SHA1
b6cf43ee3e0a2016acb224cdd2ed58fa4a0bf521

SHA256
00f68536222c0ad8bfe6c5bc77ff2d54b0da1188fcf279c031c3d575b2e148b2

SHA512
7270432fcc09b634418a71a8cc0b6a478017d9d155269531adc7915153ed8a75f897ab4d6462e4121ff613e9ec49188cec5529df24dde9115cd351a22542c707

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
37adf5c503c0b6072ef5f1a5b614011d

SHA1
ce8d52efc4067f809a308fd1f7e0c6ea56739ab8

SHA256
cb79d17d9f5af3c8912f33ac9735abe091bf64457ccc90868b7125bc7de21a0e

SHA512
6ffc62af06af62ec08f3c7124e9a1644396b70f12320eaa3a5ca10b2371e81565c9d48ef78ad184ffe0b0f769b887c9767c6c448a8a12a61e9e551cc5a49de85

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
95a69e37fd9f4427174f2a9091975c00

SHA1
c9032e8496c9e1f53d16dac546267c507525bae1

SHA256
985ed393cffb92b7c1c653bcc0a9ed779bf56e4d3fc9a9f69f9840e945ec9912

SHA512
1c61a842f6976ec889a496693814eaa298864092e0cce32404ba0e7c0b838208732bc1c66d97d7d727c8faf3475e88283c503b78c32b27fc10347ae5c522bdae

Download Submit
memory/1384-20-0x00000000042C0000-0x00000000042C8000-memory.dmp

Filesize
32KB

Download
memory/1384-17-0x00000000041E0000-0x00000000041E8000-memory.dmp

Filesize
32KB

Download
memory/1384-23-0x0000000004280000-0x0000000004288000-memory.dmp

Filesize
32KB

Download
memory/1384-24-0x0000000004540000-0x0000000004548000-memory.dmp

Filesize
32KB

Download
memory/1384-25-0x00000000048F0000-0x00000000048F8000-memory.dmp

Filesize
32KB

Download
memory/1384-26-0x00000000047F0000-0x00000000047F8000-memory.dmp

Filesize
32KB

Download
memory/1384-27-0x0000000004660000-0x0000000004668000-memory.dmp

Filesize
32KB

Download
memory/1384-18-0x0000000004200000-0x0000000004208000-memory.dmp

Filesize
32KB

Download
memory/1384-40-0x0000000004200000-0x0000000004208000-memory.dmp

Filesize
32KB

Download
memory/1384-0-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1384-48-0x0000000004660000-0x0000000004668000-memory.dmp

Filesize
32KB

Download
memory/1384-50-0x0000000004790000-0x0000000004798000-memory.dmp

Filesize
32KB

Download
memory/1384-11-0x0000000003740000-0x0000000003750000-memory.dmp

Filesize
64KB

Download
memory/1384-63-0x0000000004200000-0x0000000004208000-memory.dmp

Filesize
32KB

Download
memory/1384-4-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/1384-71-0x0000000004790000-0x0000000004798000-memory.dmp

Filesize
32KB

Download
memory/1384-73-0x0000000004660000-0x0000000004668000-memory.dmp

Filesize
32KB

Download
memory/1384-2-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1384-95-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing